[ntpwg] Security for time bootstrapping and coarse-grained sanity-checking
Bryan Ford <brynosaurus@gmail.com> Mon, 02 November 2015 00:52 UTC
Return-Path: <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
X-Original-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Delivered-To: ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B12771B3EC4 for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Sun, 1 Nov 2015 16:52:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.797
X-Spam-Level:
X-Spam-Status: No, score=-1.797 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_ADSP_CUSTOM_MED=0.001, DKIM_SIGNED=0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, T_DKIM_INVALID=0.01, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WUPMD0FX44QG for <ietfarch-ntp-archives-ahFae6za@ietfa.amsl.com>; Sun, 1 Nov 2015 16:52:22 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [IPv6:2001:4f8:fff7:1::7]) by ietfa.amsl.com (Postfix) with ESMTP id 90A501B3EC3 for <ntp-archives-ahFae6za@lists.ietf.org>; Sun, 1 Nov 2015 16:52:22 -0800 (PST)
Received: from lists.ntp.org (lists.ntp.org [149.20.68.7]) by lists.ntp.org (Postfix) with ESMTP id 9323A86DB04 for <ntp-archives-ahFae6za@lists.ietf.org>; Mon, 2 Nov 2015 00:52:21 +0000 (UTC)
X-Original-To: ntpwg@lists.ntp.org
Delivered-To: ntpwg@lists.ntp.org
Received: from mail1.ntp.org (mail1.ntp.org [IPv6:2001:4f8:fff7:1::5]) by lists.ntp.org (Postfix) with ESMTP id 888FC86D55E for <ntpwg@lists.ntp.org>; Sun, 1 Nov 2015 19:49:36 +0000 (UTC)
Received: from mail-pa0-x22b.google.com ([2607:f8b0:400e:c03::22b]) by mail1.ntp.org with esmtps (TLSv1:RC4-SHA:128) (Exim 4.77 (FreeBSD)) (envelope-from <brynosaurus@gmail.com>) id 1Zsyd6-000Ozu-H8 for ntpwg@lists.ntp.org; Sun, 01 Nov 2015 19:49:36 +0000
Received: by pabfh17 with SMTP id fh17so1014298pab.0 for <ntpwg@lists.ntp.org>; Sun, 01 Nov 2015 11:49:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:message-id:date:to:mime-version; bh=w6ibK14QCLx1C3v50X8OUN0DIq/BmcPGg0uRzbtFLz4=; b=q9rqx3+FMK/6MicA7n3gaGhIlv4c+hbX+/1vzpT46TYYveaCHeVM+N0CDGZSxHNv2s AYhFV6Mst7qx1jeZXFoNQxBMUuGyJikQz91jeWGqCDqbZloVdGvAxDMnsDDkqFNRRmF1 T64xdnAMMM5gYmaSv3xgqnU6SV2Qq29dgM3AFvPHNEIjnXF+rq4TbfuwK9y2SoiCSisa KX/+U9nhkmUylDHvejKpuGJSsCLBHp7PuG0GLjbAXHR3dL+NTYwGLM8IhCxWQdLumneF wsQqcuUtmOmt8MX1UGRoG3EOSvsve1lhElL1Uyfg1FNuXbgRAzc56VAp+jr+q/sd9Cbt zwUw==
X-Received: by 10.68.57.205 with SMTP id k13mr22385049pbq.4.1446407367930; Sun, 01 Nov 2015 11:49:27 -0800 (PST)
Received: from [10.11.2.196] (y125063.ppp.asahi-net.or.jp. [118.243.125.63]) by smtp.gmail.com with ESMTPSA id dg2sm19841156pbb.9.2015.11.01.11.49.26 for <ntpwg@lists.ntp.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sun, 01 Nov 2015 11:49:27 -0800 (PST)
From: Bryan Ford <brynosaurus@gmail.com>
Message-Id: <C2C5C353-1307-499D-B3AE-EE004A04C062@gmail.com>
Date: Mon, 02 Nov 2015 04:49:24 +0900
To: ntpwg@lists.ntp.org
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
X-Mailer: Apple Mail (2.2104)
X-SA-Exim-Connect-IP: 2607:f8b0:400e:c03::22b
X-SA-Exim-Rcpt-To: ntpwg@lists.ntp.org
X-SA-Exim-Mail-From: brynosaurus@gmail.com
X-SA-Exim-Version: 4.2
X-SA-Exim-Scanned: Yes (on mail1.ntp.org)
X-Mailman-Approved-At: Mon, 02 Nov 2015 00:47:05 +0000
Subject: [ntpwg] Security for time bootstrapping and coarse-grained sanity-checking
X-BeenThere: ntpwg@lists.ntp.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: IETF Working Group for Network Time Protocol <ntpwg.lists.ntp.org>
List-Unsubscribe: <http://lists.ntp.org/options/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=unsubscribe>
List-Archive: <http://lists.ntp.org/pipermail/ntpwg/>
List-Post: <mailto:ntpwg@lists.ntp.org>
List-Help: <mailto:ntpwg-request@lists.ntp.org?subject=help>
List-Subscribe: <http://lists.ntp.org/listinfo/ntpwg>, <mailto:ntpwg-request@lists.ntp.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============5095553220413447740=="
Errors-To: ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org
Sender: ntpwg <ntpwg-bounces+ntp-archives-ahfae6za=lists.ietf.org@lists.ntp.org>
Dear NTP folks, I was just made aware last night at the welcome reception that some of my team's recent work might be of relevance to the "future steps for NTP security" topic that I understand this WG is starting to consider. In brief, we have developed an efficient, scalable collective digital signing protocol, in which many participants "witness" and contribute counter-signatures to an authoritative statement of some kind. Clients can then check this collective signature quickly and nearly as efficiently as checking a single signature. More details about this project and its current status may be found via these links: - Draft paper: http://arxiv.org/abs/1503.08768 <http://arxiv.org/abs/1503.08768> - Slides from a recent talk: http://dedis.cs.yale.edu/dissent/pres/151009-stanford-cothorities.pdf <http://dedis.cs.yale.edu/dissent/pres/151009-stanford-cothorities.pdf> - Prototype implementation: https://github.com/DeDiS/cothority <https://github.com/DeDiS/cothority> We've been most actively exploring this in the context of the PKI problem and in particular the Certificate Transparency (trans) WG effort - but another particular application of this we've long had in mind is a strong "collective time authority", and in fact a preliminary version of such a collective time service is already implemented and working in our prototype. Producing such collective signatures of course incur some latency: in our experiments, currently on the order of 2 seconds for 8000 co-signing witnesses. Thus, collective timestamps are not going to provide high-precision time like NTP is intended to do. Instead, they would serve a different, complementary role: namely to provide a highly secure "coarse-grained" notion of the current time, ensuring that adversaries (especially MITM-capable ones) cannot trick clients into thinking the current time is "way off" the reality (e.g., hours or days). For starters, such a collective time protocol could address this "chicken-and-egg" problem documented in the current NTS draft: 10.2. Initial Verification of the Server Certificates The client may wish to verify the validity of certificates during the initial association phase. Since it generally has no reliable time during this initial communication phase, it is impossible to verify the period of validity of the certificates. To solve this chicken- and-egg problem, the client has to rely on external means. In essence, collective timestamping could solve this bootstrapping problem by allowing any client - on initial bootstrap or "once a day" for example - to send a random challenge or nonce to the collective time authority or any of its co-signing witnesses. Once every few seconds, the collective time authority and its co-signing witnesses aggregate all recently submitted challenges into a scalable Merkle tree, which in this case never actually needs to be transmitted anywhere "in bulk" by anyone. The time authority proposes and broadcasts a timestamped tree root, then all of its witness/cosigners sanity-check the timestamp while contributing their co-signatures. Finally, each client gets the collectively signed root along with a Merkle inclusion proof demonstrating that the timestamp is "fresh" from that client's perspective, and the collective signature attests to the client that not just a single time authority but many independent participants have independently sanity-checked the signed timestamp. In addition to the bootstrapping motivation, a second motivation is merely to protect clients against stronger time-related attacks - for example downgrade attacks against one or more NTP servers, or even MITM attacks against clients attempting using authenticated NTS connections with an NTP server whose private key has been secretly stolen or otherwise "acquired". Some attacks of this type have been getting some news recently (e.g., http://arstechnica.com/security/2015/10/new-attacks-on-network-time-protocol-can-defeat-https-and-create-chaos/ <http://arstechnica.com/security/2015/10/new-attacks-on-network-time-protocol-can-defeat-https-and-create-chaos/>). When clients are using their current notion of time to check whether a certificate has expired, we don't need the client's notion of the time to be millisecond-resolution but we want to be very certain it's not days or months off due to MITM attacks. Similarly, having a secure coarse-grained notion of the time may be important for software update protocols: e.g., if an attacker can convince a client (perhaps one that's been offline for a while or is even just "waking up" for the first time) that the current time is days or months behind the reality, then the attacker might be able to persuade the client via replay attacks to accept an old version of its OS or some other software package, which has a known vulnerability that the attacker would just love to exploit. If there is interest and any time (so to speak) in the NTP meeting this afternoon, I would be happy to do a 5-to-10-minute summary if there is any time available and the WG chairs would deem that to be a suitable use of it. Thanks Bryan
_______________________________________________ ntpwg mailing list ntpwg@lists.ntp.org http://lists.ntp.org/listinfo/ntpwg